There are two prongs to the patch management agenda. One is the patch management plan that handles the physical delivery of software to qualified computers, while the other revolves around the patch management policies that enforce the need for the former to be employed. Meaning, in order for there to be a patch management process that actually downloads and delivers the patches to computers in your infrastructure, you need the legal verbiage to force users to install the patches once they are approved and released to the network.
The first place a patch management process has to start is within the decision making engine of a company. The policy if the company must state that in order for a computer to participate in and have access to the network, it must have the latest operating system patches in place. If a computer is found not to have the latest software updates, the company reserves the right to disconnect it from the network, either by physical disconnection of a patch cable or by disabling its wireless access. These patch management policies should also clearly state that purposefully circumventing the corporate patch management process by disabling the updater service on a computer or otherwise aborting system updates, a user is in violation of policy and disciplinary action may be taken.
This may seem a bit forceful, but consider the importance of maintaining the safety of sensitive company data and the risks associated with not adhering to the patch management process. The patches installed onto a computer are there to close security holes that, if left unchecked, could allow someone to gain access through several different methods all which take advantage of security holes in the operating system. Adherence to a patch management process will greatly decrease the likelihood of putting company data or the network at risk for intrusion.
